Skip to content ↓ | Skip to navigation ↓

For twenty years people have been running Java in their browsers. And for much of that time, malicious hackers have been exploiting vulnerabilities in the plugin to infect computers.

Although the number of outbreaks caused by zero-day vulnerabilities found in the Java plugin has reduced in recent years, many users have found it hard to muster move love for the technology.

And yet, the Java browser plugin has plodded on, shrugging off the brickbats and abuse, and doggedly providing support for the odd, ageing website and bespoke applications relied upon by corporations.

But now, the Java plugin’s days are numbered – as Oracle announced it will “deprecate” the plugin in its Java Development Kit 9, scheduled to be released in September 2016.

Supporting Java in browsers is only possible for as long as browser vendors are committed to supporting standards based plugins. By late 2015, many browser vendors had either removed or announced timelines for the removal of standards based plugin support, while some are introducing proprietary browser-specific extension APIs. Consequently, Oracle is planning to deprecate the Java browser plugin in JDK 9.

By “deprecate”, Oracle doesn’t mean that the Java plugin will be killed stone dead. Instead they will increasingly hide it, and not encourage users to install it. In due course, the software will be entirely removed.

Of course, Oracle isn’t dropping support for Java entirely – but with the demise of the unpopular web browser plugin, it hopes users will be happy to switch over to its replacement – the plugin-free Java Web Start technology – which does not rely upon a browser, and is considered a safer way to run Java applications.

To be honest, the Java plugin’s days have been numbered for some time – with the rise of smartphone usage, and the way most modern browsers are reducing support for plugins.

In short, the browser manufacturers – in their quest for greater security and stability – were making the Java plugin irrelevant, regardless of Oracle’s plans for their software.

Oracle isn’t the only company having to recognise that the world is changing. Adobe, developers of the often-attacked Flash plugin, recently made clear that it was moving away from the platform to an HTML5-based future.

Oracle has published a white paper (ironically in Adobe PDF format – but you’ve kept your copy of Adobe Reader updated, right?) explaining how corporations can best migrate to solutions such as Java Web Start.

Java version 9 is already available as an early access beta for those who want to get an early ticket for the funeral. I doubt there will be too many mourners.

To learn more about Tripwire’s vulnerability managment solutions, click here.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.


10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Coyote

    Mourners? Probably not any except those webmasters who live in the past (and more correctly are afraid to learn something new, better, safer, perhaps because of laziness or maybe because of inability to learn due to funds [if corporate] or otherwise – but at least they will have to sooner than later … or so is the hope).

    Celebrators? Of course there are many of those. I am especially thrilled that Adobe is finally suggesting moving away from Flash. Now if only webmasters will take a hint here…. I doubt they will any time soon because again the webmasters simply don’t care to learn anything new; it’s convenient, it gets the job done, it’s this and it’s that. Unfortunately it’s not always only the provider that is the problem when you want to get rid (also obtain) of the service.

  • Chris Jones

    No, don’t bother with flowers. Don’t even mourn. Celebrate!! Most of us will be glad to see that go, along with Flash. Those companies whose products are web-delivered Java apps had better get busy, though. I recall some years back using Oracle’s e-Business suite (their ERP system) which was launched through a web browser navigating to an intranet site, the the applications were all Java. Oracle was very, very slowly and gradually building purely web-based versions of all that stuff but as of the time I left that company (last time I used the product) the web apps were still nowhere close to being feature complete enough to replace the Java forms. I suspect there are other large application suites that are built in Java that is delivered through a web browser. Still, good riddance. They’re the same ones who also made it necessary to have an outdated insecure Java on my system all the time because they always lagged behind and required some version of Java which was already superseded and for which a load of critical security bulletins had piled up.

  • mountwe

    Fine if you/they tell developers to stop writing programs that require java. Just this week my manager wanted me to make it possible for her to scan to her computer from a Lexmark printer. Hoops and gyrations.

    In order to scan, one first had to set up a scan profile on the target PC. In order to set up a scan profile, the Lexmark REQUIRED Java. In order to make it work I had to install an extension for Chrome – IE Tab – to make Chrome think it was IE!?! Then you had to click the IE Tab icon every time you wanted to scan. I won’t take time to detail the havoc that caused with browsing, email, etc.

    Note that I DID try IE first. That would not work. I download Safari. That would not work. The only way I got it to work was what I said.

    So no browsers are going to support Java in the browser, eh? So next time my manager details me to do something and it turns out to REQUIRE Java, I what? Tell he she needs to call Oracle??

  • Jen Norton

    Finally my dream come true after 18 years the garbage of JAVA is starting to DIE, just 17 years to late.

<!-- -->